Mercusys AC12G Uninitialized Buffer Disclosure Vulnerability via HTTP POST Requests

A vulnerability exists in the Mercusys AC12G (EU) V1 router, specifically in the firmware version AC12G(EU)_V1_200909. The issue arises when the device receives HTTP POST requests to undefined paths. Instead of returning appropriate error responses, the router's VxWorks HTTP server leaks 128 bytes of uninitialized internal buffer contents. This exposure allows unauthenticated adjacent network attackers to access sensitive server state information.

Impact

Exploitation of this vulnerability results in the unauthorized disclosure of 128 bytes of internal server state per request. Additionally, the vulnerability causes an out-of-bounds read of 67 bytes beyond the POST body buffer, leaking fragments of HTTP response templates from previous operations. The lack of Address Space Layout Randomization (ASLR) in VxWorks means that any leaked memory addresses are stable and could be used for further exploitation.

Reproduction

To reproduce this vulnerability, send an HTTP POST request to an undefined path, such as '/admin' or '/config', on a Mercusys AC12G (EU) V1 router running the affected firmware. The response will include uninitialized buffer data from the internal memory, violating HTTP protocol standards by placing raw buffer data before the HTTP status line. If a POST body is included, the response will also leak additional memory fragments from previous operations, beyond the boundaries of the POST body.

Remediation

No official fix is planned for this vulnerability, as the product is considered end-of-life.